CN106790310B - Method and system for integrating distributed denial of service attack protection and load balancing - Google Patents

Method and system for integrating distributed denial of service attack protection and load balancing Download PDF

Info

Publication number
CN106790310B
CN106790310B CN201710205715.4A CN201710205715A CN106790310B CN 106790310 B CN106790310 B CN 106790310B CN 201710205715 A CN201710205715 A CN 201710205715A CN 106790310 B CN106790310 B CN 106790310B
Authority
CN
China
Prior art keywords
message
protection
protocol
type
normal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710205715.4A
Other languages
Chinese (zh)
Other versions
CN106790310A (en
Inventor
马涛
张肖洒
欧怀谷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN201710205715.4A priority Critical patent/CN106790310B/en
Publication of CN106790310A publication Critical patent/CN106790310A/en
Application granted granted Critical
Publication of CN106790310B publication Critical patent/CN106790310B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a system for integrating distributed denial of service attack protection and load balancing, wherein the method comprises the following steps: judging the type of a received message, and transmitting the message to a protection module corresponding to the type of the message for detection according to the type of the message to obtain an attack message and a normal message; the protection module corresponding to the type of the message filters the attack message or sends the normal message to a kernel thread module; and the kernel thread module modifies the message according to the type of the message and sends the message. The distributed denial of service protection function and the load balancing function are integrated on the same device, so that the cost problem caused by separate protection devices is solved, and meanwhile, the protection devices and the load balancing device can be mutually matched in a relatively high efficiency manner; the copy quantity of the message is reduced when load balancing is carried out, and the influence on the performance of the equipment is avoided.

Description

Method and system for integrating distributed denial of service attack protection and load balancing
Technical Field
The invention relates to the field of computer communication, in particular to a method and a system for integrating distributed denial of service attack protection and load balancing.
Background
Distributed Denial of Service (DDoS) is the most common means in the current network attack, has the characteristics of simplicity, violence and good attack effect, and can greatly affect the Service of an attacked target. With the development of the internet, the current attacks present the characteristics of larger attack bandwidth and more frequent attacks, and the influence is more and more serious.
DDoS aims at destroying the "availability" of an attacked target, and the attacking mode utilizes the network service function defect of a target system or directly consumes the system resource of the target system, so that the target system cannot provide normal service.
For a node, a common protection mode is to deploy a hardware protection device to protect against DDoS attacks. Meanwhile, a load balancing device is usually deployed in a node to achieve load balancing of traffic among server clusters and achieve better performance, and a common load balancing tool is a Linux Virtual Server (LVS), which has been used for load balancing inside the node in a large number of services of internet companies.
However, the prior art has the following problems: (1) the cost of node DDoS protection is increased due to the need of hardware deployment; (2) the independent protection equipment and the load balancing equipment are mutually independent, and the connection state is not uniform easily, so that problems occur in protection and flow processing; (3) the load balancing equipment has more processing flows and influences the performance of the whole system.
Disclosure of Invention
In order to solve the problems in the prior art, embodiments of the present invention provide a method and a system for integrating distributed denial of service attack protection and load balancing. The technical scheme is as follows:
on one hand, a method for integrating distributed denial of service attack protection and load balancing comprises the following steps:
judging the type of the received message, and transmitting the message to a protection module corresponding to the type of the message according to the type of the message for detection to obtain an attack message and a normal message;
the protection module corresponding to the type of the message filters the attack message or sends the normal message to the kernel thread module;
and the kernel thread module modifies the message according to the type of the message and sends the message.
Further, the step of transmitting the message to a protection module corresponding to the type of the message for detection according to the type of the message to obtain an attack message and a normal message, and the step of filtering the attack message by the protection module corresponding to the type of the message specifically includes:
counting the transmission rate of the transmission control protocol message, and when the transmission rate of the transmission control protocol message exceeds a threshold value, performing SYN COOKIE verification, connection table lookup or HTTP behavior verification on the transmission control protocol message exceeding the threshold value, and filtering attack messages;
counting the transmission rate and bandwidth of the user datagram protocol message of the source network protocol address and the destination network protocol address, and discarding the user datagram protocol message when the transmission rate or bandwidth of the user datagram protocol message exceeds a threshold value;
and counting the bandwidth of the internet control message protocol message of the target network protocol address, and discarding the internet control message protocol message when the bandwidth of the internet control message protocol message exceeds a threshold value.
Specifically, the method for filtering the attack message by carrying out SYN COOKIE verification, link table lookup or HTTP behavior verification, when the transmission rate of the transmission control protocol message is counted and an attack is considered to occur when the transmission rate exceeds a threshold value, comprises the following steps:
SYN FLOOD detection protection: counting SYN messages of each destination network protocol address, starting protection when the SYN messages exceed a threshold value, verifying by adopting a SYN COOKIE mode, responding the SYN/ACK messages with the COOKIE to the attack messages, and verifying the subsequent ACK messages by using the COOKIE;
ACK FLOOD detection protection: protecting according to the connection table, transmitting a legal handshake ACK message into the kernel to establish connection, and directly discarding an illegal ACK message;
HTTP FLOOD detection guard: the method comprises the steps of counting the hypertext transfer protocol request messages, starting protection when the hypertext transfer protocol request messages exceed a set threshold value, sending hypertext transfer protocol response messages added into verification fields to the network protocol address initiating the request, and verifying the fields of the messages sent from the network protocol address subsequently.
Further, the step of modifying and sending the message by the kernel thread module according to the type of the message is specifically:
the kernel thread module receives the normal message in a shared memory mode, searches and modifies the destination address of the normal message according to the type of the normal message, and then encapsulates the normal message for sending.
Specifically, the specific steps of searching and modifying the destination address of the normal message according to the type of the normal message, and then encapsulating the normal message for transmission are as follows:
judging whether the message of the transmission control protocol type is a handshake message;
if the connection is the handshake message, calling an interface of the Linux virtual server to establish connection, modifying the handshake message according to the physical address information of the next hop in the connection table, packaging the handshake message, and putting the handshake message into a sending queue to wait for sending;
if the message is not the handshake message, processing is carried out according to whether the message contains connection in a connection table of the Linux virtual server and whether the message is an end message.
Specifically, the specific steps of processing according to whether the message contains a connection in the connection table of the Linux virtual server and whether the message is an end message are as follows:
searching a connection table of the Linux virtual server, and judging whether the connection table has a connection corresponding to the message;
if the connection table contains the connection corresponding to the message, the physical address of the next hop is searched according to the information in the connection table, the message is modified and packaged, and the message is placed into a sending queue to wait for sending;
if the connection table does not contain the connection corresponding to the message, judging whether the message is a connection ending message or not;
if the connection message is finished, copying the normal message and sending the normal message into a protocol stack, and performing a processing flow of the Linux virtual server to finish the connection state updating;
if the connection message is not the end connection message, the message is directly discarded.
In another aspect, a distributed denial of service attack protection and load balancing integrated system includes:
the distributed denial of service protection module is used for judging the type of the received message, transmitting the message to a protection submodule corresponding to the type of the message according to the type of the message for detection to obtain an attack message and a normal message, and filtering the attack message or sending the normal message to the kernel thread module by the protection submodule corresponding to the type of the message;
and the kernel thread module is used for modifying the message according to the type of the message and sending the message.
Further, the kernel thread module comprises:
the kernel packet receiving and sending module is used for receiving and sending normal messages in a shared memory mode;
and the load balancing module is used for searching and modifying the destination address of the normal message according to the type of the normal message, and then packaging the normal message and sending the normal message.
Further, the distributed denial of service prevention module comprises:
the message type judging submodule is used for judging the message type;
the transmission control protocol protection sub-module is used for counting the transmission rate of the transmission control protocol message, and when the transmission rate of the transmission control protocol message exceeds a threshold value, the SYN COOKIE verification, connection table lookup or HTTP behavior verification is carried out on the transmission control protocol message exceeding the threshold value, and the attack message is filtered;
the user datagram protocol protection submodule is used for counting the transmission rate and the bandwidth of a user datagram protocol message of a source network protocol address and a destination network protocol address, and discarding the user datagram protocol message when the transmission rate or the bandwidth of the user datagram protocol message exceeds a threshold value;
and the internet control message protocol protection submodule is used for counting the bandwidth of the internet control message protocol message of the target network protocol address, and discarding the internet control message protocol message when the bandwidth of the internet control message protocol message exceeds a threshold value.
Further, the transmission control protocol protection sub-module specifically includes:
SYN FLOOD detection protection unit: the system is used for counting SYN messages of each destination network protocol address, when the SYN messages exceed a threshold value, starting protection, verifying by adopting a SYN COOKIE mode, responding SYN/ACK messages with COOKIE to attack messages, and verifying subsequent ACK messages by using COOKIE;
ACK FLOOD detection protection unit: the system is used for protecting according to the connection table, transmitting a legal handshake ACK message into the kernel to establish connection, and directly discarding an illegal ACK message;
HTTP FLOOD detection protection unit: the method is used for counting the hypertext transfer protocol request message, when the number exceeds a set threshold value, starting protection, sending a hypertext transfer protocol response message added with a verification field to a network protocol address initiating a request, and verifying the field for a message sent from the network protocol address subsequently.
The technical scheme provided by the embodiment of the invention has the following beneficial effects: the distributed denial of service protection function and the load balancing function are integrated on the same device, so that the cost problem caused by separate protection devices is solved, and meanwhile, the protection devices and the load balancing device can be mutually matched in a relatively high efficiency manner; the copy quantity of the message is reduced when load balancing is carried out, and the influence on the performance of the equipment is avoided.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of a distributed denial of service attack protection and load balancing integrated method provided by the present invention;
FIG. 2 is a detailed flowchart of step S103 in FIG. 1;
FIG. 3 is a block diagram of the distributed denial of service attack protection and load balancing integrated system 10 provided by the present invention;
FIG. 4 is a detailed block diagram of the distributed denial of service prevention module 100 of FIG. 3;
FIG. 5 is a detailed block diagram of kernel thread module 200 of FIG. 3;
fig. 6 is a specific block diagram of the transmission control protocol guard sub-module 102 in fig. 4.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
As shown in fig. 1, the present invention provides an implementation manner of a Distributed Denial of Service (DDoS) protection and load balancing integrated method, including the following steps: s101, judging the type of the received message, and transmitting the message to a protection module corresponding to the type of the message for detection according to the type of the message to obtain an attack message and a normal message; s102, the protection module corresponding to the type of the message filters the attack message or sends the normal message to the kernel thread module; s103, the kernel thread module modifies the message according to the type of the message and sends the message.
In order to avoid being attacked and improve network performance, a network node needs to perform distributed denial of service attack detection protection and load balancing processing on a received message, and generally needs to perform the detection protection and the load balancing processing in two hardware devices respectively. The invention integrates the detection protection and load balance of the distributed denial of service attack into the same network node device (such as a server), when the network node (server) receives a request Message sent from a client or other servers, the Message is decoded first, and the type of the Message is judged to be a Transmission Control Protocol (TCP) Message, a User Datagram Protocol (UDP) Message or an Internet Control Message Protocol (ICMP) Message according to the decoding result. And further judges whether the transmission control protocol message belongs to a handshake message. The server adopts UIO (user space I/O) mechanism in the process of receiving the message, can receive and send the message at high speed, directly receives the message to the application program, and completes the processing in the application program.
And according to the judgment result, the message is delivered to the corresponding protection module according to the type, and the corresponding protection module respectively carries out detection and protection processing according to the message characteristics, the protocol characteristics and the message statistics:
for the transmission control protocol message, counting the transmission rate of the message, considering that an attack occurs when the transmission rate exceeds a threshold value, and filtering the attack message in a mode of SYN COOKIE verification, connection table lookup or HTTP behavior verification and the like according to the characteristics of the transmission control protocol message.
For a user datagram Protocol (udp) packet, statistics is performed on a transmission rate and a bandwidth of the user datagram Protocol packet of a source Internet Protocol (IP) address and a destination IP address, and when the transmission rate or the bandwidth exceeds a threshold, the udp packet is discarded.
And for the Internet control message protocol message, counting the bandwidth of the Internet control message protocol message of the target network protocol address, and discarding the Internet control message protocol message when the bandwidth exceeds a threshold value.
In this embodiment, the detecting and protecting the tcp packet specifically further includes: SYN FLOOD detection protection, namely counting SYN messages of each destination network protocol address, starting protection when the SYN messages exceed a threshold value, verifying by adopting a SYN COOKIE mode, responding SYN/ACK messages with COOKIE to attack messages, and verifying the information in subsequent ACK messages by COOKIE; the ACK FLOOD detection protection is carried out, protection is carried out according to a connection table, for legal handshake ACK messages, Linux Virtual Server (LVS) connection is established by transmitting the legal handshake ACK messages into a kernel, and for illegal ACK messages, the illegal handshake ACK messages are directly discarded; the HTTP FLOOD detection protection is characterized in that a hypertext Transfer Protocol (HTTP) request message is counted, when the HTTP FLOOD detection protection exceeds a set threshold value, the protection is started, a specific HTTP response message is sent to a network Protocol address initiating a request, for example, 302 redirection is carried out, certain verifiable fields are added to the content of the response message, and then the fields are verified by messages sent from the network Protocol address subsequently. The normal client will follow the response after receiving the request and add the authentication field in the response in the new request message, while the attack end will not have this behavior.
By the method, the attack message is filtered after the detection of the corresponding protection module is completed, and the normal message is transmitted to the kernel thread module in the server through the shared memory mechanism.
The kernel thread module receives the normal message in a shared memory mode, searches and modifies the destination address of the normal message according to the type of the message, and then encapsulates the normal message for sending. The load balancing processing in the invention mainly aims at the load balancing processing of the transmission control protocol message, other user datagram protocol messages or internet control message protocol messages and adopts a general conventional processing mode.
As shown in fig. 2, which is a specific step of step S103 in the foregoing embodiment, as described above, the load balancing process of the present invention mainly aims at the transmission control protocol type packet, and for the user datagram protocol packet or the internet control packet protocol packet, the present invention uses a generally common method for processing, and details are not repeated herein:
step S1031, determining whether the transmission control protocol type packet is a handshake packet. If the message is a handshake message, step S1032 is performed, and if the message is not a handshake message, step S1033 is performed.
And the Linux virtual server performs different load balancing processing on the message according to the message type information obtained during the distributed denial of service attack detection protection processing.
Step S1032, the interface of the Linux virtual server is called to establish connection, the message is modified according to the physical address information of the next hop in the connection table, and the message is packaged and then put into a sending queue to wait for sending.
For handshake messages of transmission control protocol types, the server directly calls an interface of the Linux virtual server to establish connection, modifies a target physical address of the handshake message according to next hop physical address information of the messages passing through load balancing logic in a connection table of the Linux virtual server, and then packages the handshake message and puts the handshake message into a sending queue for waiting sending.
Step S1033, searching the connection table of the Linux virtual server, and determining whether the connection table has a connection corresponding to the packet. If the connection table contains a connection corresponding to the message, step S1034 is performed, and if the connection table does not contain a connection corresponding to the message, step S1035 is performed.
For the non-handshake message of the transmission control protocol type, the server searches a connection table of the Linux virtual server, judges whether the destination physical address information of the message has the connection information of the next hop in the connection table, if the destination physical address information of the message has the connection information of the next hop in the connection table, the connection table is considered to contain the connection corresponding to the message, and step S1034 is performed; if the destination physical address information of the packet does not have the connection information of the next hop in the connection table, the connection table is considered to contain no connection corresponding to the packet, and step S1035 is performed.
Step S1034, the physical address of the next hop is found according to the information in the connection table, the message is modified and encapsulated, and the message is put into a sending queue to wait for sending.
For the non-handshake message with the transmission control type corresponding to the connection in the connection table, the server modifies the destination physical address information of the message according to the physical address information of the next hop of the destination physical address of the message searched in the connection table of the Linux virtual server in step S1033, then encapsulates the message, and puts the encapsulated message into a sending queue to wait for sending.
In step S1035, it is determined whether the packet is a connection end packet. If the connection completion message is the connection completion message, the process proceeds to step S1036, and if the connection completion message is not the connection completion message, the process proceeds to step S1037.
Step S1036, copying and sending the message to a protocol stack, and performing a processing flow of the Linux virtual server to complete the updating of the connection state.
And for the non-handshake message which does not contain the transmission control type corresponding to the connection in the connection table, when the message is the connection ending message, copying and sending the message to a protocol stack, and updating the next hop destination physical address in the message according to the normal processing flow of the Linux virtual server.
Step S1037, the packet is discarded.
Fig. 3 shows a distributed denial of service attack protection and load balancing integrated system 10 provided by the present invention, which includes: distributed denial of service guard module 100 and kernel thread module 200.
The distributed denial of service protection module 100 is configured to determine a type of a received message, transmit the message to a protection sub-module corresponding to the type of the message according to the type of the message, perform detection to obtain an attack message and a normal message, and filter the attack message or send the normal message to a kernel thread module by the protection sub-module corresponding to the type of the message; the kernel thread module 200 is configured to modify and send the message according to the type of the message.
The server uses UIO mechanism to realize high-speed receiving and sending of the message, and after receiving the message, the server forwards the message to the distributed denial of service protection module 100 for detection and protection processing. The distributed denial of service protection module 100 performs flow detection such as message characteristics, protocol characteristics, message statistics and the like on the message by using a detection model of the distributed denial of service protection module, starts a protection algorithm after an attack is found, and filters and verifies attack flow; for the message judged to be normal flow, the marked server establishes a high-speed message transmission channel (i.e. a shared memory mode) through memory mapping, and quickly transfers the normal message to be forwarded to the kernel thread module 200 for load balancing processing. The kernel thread module 200 receives the marked normal message, performs Linux virtual server logic processing by using a packaged Linux virtual server interface according to the message type, finds out destination server information of the message, modifies the message, and finally sends the message out by the server.
Specifically, as shown in fig. 4, the distributed denial of service guard module 100 specifically includes: a message type judgment sub-module 101, a transmission control protocol protection sub-module 102, a user datagram protocol protection sub-module 103 and an internet control message protocol protection sub-module 104.
The message type judging module 101 is used for judging the message type; the transmission control protocol protection sub-module 102 is configured to count a transmission rate of a transmission control protocol packet, and when the transmission rate of the transmission control protocol packet exceeds a threshold, perform SYN COOKIE authentication, link table lookup, or HTTP behavior authentication on the transmission control protocol packet exceeding the threshold, and filter an attack packet; the user datagram protocol protection sub-module 103 is configured to count a transmission rate and a bandwidth of a user datagram protocol packet of a source network protocol address and a destination network protocol address, and discard the user datagram protocol packet when the transmission rate or the bandwidth of the user datagram protocol packet exceeds a threshold; the internet control message protocol protection sub-module 104 is configured to count a bandwidth of an internet control message protocol message of a destination network protocol address, and discard the internet control message protocol message when the bandwidth of the internet control message protocol message exceeds a threshold.
After receiving the message, the server forwards the message to the message type judgment module 101, the message type judgment module 101 decodes the received message, judges the message type according to the decoding result, and then sends the message to the corresponding transmission control protocol protection sub-module 102, the user datagram protocol protection sub-module 103 or the internet control message protocol protection sub-module 104 according to the message type. Each protection sub-module performs flow detection such as message characteristics, protocol characteristics, message statistics and the like on the messages by using a detection model of each protection sub-module, and after an attack is found, a protection algorithm is started to filter and verify attack flow; for the normal flow message, the message is marked and then forwarded to the kernel thread module 200 in a shared memory manner for load balancing processing.
Besides the protection sub-modules, there may be corresponding protection modules for other message types, which is not described herein again.
Specifically, as shown in fig. 5, the kernel thread module 200 specifically includes: a kernel transceiving module 201 and a load balancing module 202.
A kernel packet receiving and sending module 201, configured to receive and send a normal message in a shared memory manner; and the load balancing module 202 is configured to search and modify a destination address of the normal packet according to the type of the normal packet, and then encapsulate the normal packet and send the normal packet.
The normal packet processed by the distributed denial of service protection module 100 is transferred to the kernel packet transceiver module 201 of the kernel thread module 200 through a shared memory mechanism, and the kernel packet transceiver module 201 sends the normal packet to the load balancing module 202 for load balancing.
In the present invention, the load balancing module 202 mainly processes the user datagram protocol packet or the internet control packet protocol packet according to the packet of the transmission control protocol type by using a common method, which is not described herein again.
After receiving the message decoded and judged by the message type judgment module 101, the load balancing module 202 directly calls the interface of the Linux virtual server to create connection for the handshake message of the transmission control protocol type, modifies the destination physical address of the handshake message according to the next hop physical address information of the message subjected to the load balancing logic in the connection table of the Linux virtual server, and then packages the handshake message and puts the handshake message into a sending queue for waiting to be sent.
For a non-handshake message of a transmission control protocol type, the load balancing module 202 searches a connection table of the Linux virtual server, determines whether the destination physical address information of the message has connection information of a next hop in the connection table, if the destination physical address information of the message has connection information of the next hop in the connection table, considers that the connection table contains a connection corresponding to the message, modifies the destination physical address information of the message according to the physical address information of the next hop of the destination physical address of the message searched in the connection table of the Linux virtual server, encapsulates the message, and places the encapsulated message into a sending queue to wait for sending.
And if the destination physical address information of the message does not have the connection information of the next hop in the connection table, considering that the connection table does not contain the connection corresponding to the message, continuously judging whether the message is the connection ending message or not, copying and sending the message to a protocol stack when the message is the connection ending message, and finishing the updating of the destination physical address of the next hop in the message according to the normal processing flow of the Linux virtual server. And when the message is not the end connection message, directly discarding the message.
Specifically, as shown in fig. 6, the transmission control protocol protection sub-module 102 specifically includes: SYN FLOOD detection guard unit 1021, ACK FLOOD detection guard unit 1022, and HTTP FLOOD detection guard unit 1023.
The SYN FLOOD detection and protection unit 1021 is used for counting SYN messages of each destination network protocol address, when the threshold value is exceeded, the protection is started, the SYN COOKIE mode is adopted for verification, SYN/ACK messages with COOKIE are responded to attack messages, and COOKIE verification is carried out on subsequent ACK messages.
The ACK FLOOD detection and protection unit 1022 is configured to perform protection according to the connection table, transmit a valid handshake ACK packet to the kernel to create a Linux virtual server connection, and directly discard an invalid ACK packet.
The HTTP FLOOD detection guard unit 1023 is configured to count the hypertext transfer protocol request packet, and when a set threshold is exceeded, start a guard, send a specific hypertext transfer protocol response packet, such as 302Redirect, to the network protocol address that initiated the request, add a certain verifiable field to the content of the response packet, and then verify the field with a packet subsequently sent from the network protocol address. The normal client will follow the response after receiving the request and add the authentication field in the response in the new request message, while the attack end will not have this behavior.
The tcp guard sub-module 102 may also have other pairs of detection and guard units, which are not illustrated herein.
The distributed denial of service protection function and the load balancing function are integrated on the same device, so that the cost problem caused by separate protection devices is solved, and meanwhile, the protection devices and the load balancing device can be mutually matched in a relatively high efficiency manner; the copy quantity of the message is reduced when load balancing is carried out, and the influence on the performance of the equipment is avoided.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The above-described system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (8)

1. A method for integrating distributed denial of service attack protection and load balancing is characterized by comprising the following steps:
judging the type of a received message, transmitting the message to a protection module corresponding to the type of the message according to the type of the message, and detecting the message through message characteristics, protocol characteristics and message statistics to obtain an attack message and a normal message;
the protection module corresponding to the type of the message filters the attack message or establishes a shared memory with a kernel thread module, and sends the normal message to the kernel thread module;
and the kernel thread module receives the normal message through the shared memory, performs Linux virtual server logic processing on the normal message through a Linux virtual server interface according to the type of the normal message, searches and modifies a destination address of the normal message, and then encapsulates the normal message for sending.
2. The method of claim 1, wherein the step of transmitting the packet to a protection module corresponding to the type of the packet for detection according to the type of the packet to obtain an attack packet and a normal packet, and the step of filtering the attack packet by the protection module corresponding to the type of the packet specifically comprises:
counting the transmission rate of the transmission control protocol message, and when the transmission rate of the transmission control protocol message exceeds a threshold value, performing SYN COOKIE verification, connection table lookup or HTTP behavior verification on the transmission control protocol message exceeding the threshold value, and filtering the attack message;
counting the transmission rate and bandwidth of a user datagram protocol message of a source network protocol address and a destination network protocol address, and discarding the user datagram protocol message when the transmission rate or bandwidth of the user datagram protocol message exceeds a threshold value;
counting the bandwidth of the internet control message protocol message of the target network protocol address, and discarding the internet control message protocol message when the bandwidth of the internet control message protocol message exceeds a threshold value.
3. The method of claim 2, wherein the method of integrating distributed denial of service attack protection and load balancing comprises the steps of counting transmission rates of tcp packets, considering an attack when a threshold is exceeded, and filtering the attack packets by performing SYN COOKIE validation, link table lookup, or HTTP behavior validation, wherein the steps of:
SYN FLOOD detection protection: counting SYN messages of each target network protocol address, starting protection when the SYN messages exceed a threshold value, verifying by adopting a SYN COOKIE mode, responding the SYN/ACK messages with COOKIE to the attack messages, and verifying the subsequent ACK messages by using COOKIE;
ACK FLOOD detection protection: protecting according to the connection table, transmitting a legal handshake ACK message into the kernel to establish connection, and directly discarding an illegal ACK message;
HTTP FLOOD detection guard: the method comprises the steps of counting the hypertext transfer protocol request messages, starting protection when the hypertext transfer protocol request messages exceed a set threshold value, sending hypertext transfer protocol response messages added into verification fields to the network protocol address initiating the request, and verifying the fields of the messages sent from the network protocol address subsequently.
4. The method of integrating distributed denial of service attack protection and load balancing according to claims 1-3, wherein the specific steps of performing Linux virtual server logic processing on the normal packet through a Linux virtual server interface according to the type of the normal packet, searching and modifying the destination address of the normal packet, and then encapsulating the normal packet for transmission are as follows:
judging whether the message of the transmission control protocol type is a handshake message;
if the handshake message is the handshake message, calling an interface of the Linux virtual server to establish connection, modifying the handshake message according to the physical address information of the next hop in a connection table, packaging the handshake message, and putting the handshake message into a sending queue to wait for sending;
and if the handshake message is not the handshake message, processing according to whether the message contains connection in a connection table of the Linux virtual server and whether the message is an end message.
5. The method of claim 4, wherein the specific steps of processing according to whether the packet contains a connection in the connection table of the Linux virtual server and whether the packet is an end packet are:
searching a connection table of a Linux virtual server, and judging whether the connection table has connection corresponding to the message;
if the connection table contains the connection corresponding to the message, finding the physical address of the next hop according to the information in the connection table, modifying and packaging the message, and putting the message into a sending queue to wait for sending;
if the connection table does not contain the connection corresponding to the message, judging whether the message is a connection ending message;
if the connection ending message is the connection ending message, copying and sending the normal message into a protocol stack, and performing a processing flow of the Linux virtual server to finish connection state updating;
and if the connection message is not the connection ending message, directly discarding the message.
6. A distributed denial of service attack protection and load balancing integrated system, comprising:
the distributed denial of service protection module is used for judging the type of a received message, transmitting the message to a protection submodule corresponding to the type of the message according to the type of the message, detecting the message through message characteristics, protocol characteristics and message statistics to obtain an attack message and a normal message, filtering the attack message by the protection submodule corresponding to the type of the message or establishing a shared memory with a kernel thread module, and sending the normal message to the kernel thread module;
and the kernel thread module is used for receiving the normal message through the shared memory, performing Linux virtual server logic processing on the normal message through a Linux virtual server interface according to the type of the normal message, finding and modifying a destination address of the normal message, and packaging the normal message for sending.
7. The distributed denial of service attack prevention and load balancing system of claim 6 wherein said distributed denial of service prevention module comprises:
the message type judging submodule is used for judging the message type;
the transmission control protocol protection sub-module is used for counting the transmission rate of the transmission control protocol message, when the transmission rate of the transmission control protocol message exceeds a threshold value, carrying out SYN COOKIE verification, connection table lookup or HTTP behavior verification on the transmission control protocol message exceeding the threshold value, and filtering the attack message;
the user datagram protocol protection sub-module is used for counting the transmission rate and the bandwidth of a user datagram protocol message of a source network protocol address and a destination network protocol address, and discarding the user datagram protocol message when the transmission rate or the bandwidth of the user datagram protocol message exceeds a threshold value;
and the internet control message protocol protection submodule is used for counting the bandwidth of the internet control message protocol message of the target network protocol address, and discarding the internet control message protocol message when the bandwidth of the internet control message protocol message exceeds a threshold value.
8. The system for integrating distributed denial of service attack protection and load balancing as claimed in claim 7, wherein said tcp protection sub-module specifically comprises:
SYN FLOOD detection protection unit: the system is used for counting SYN messages of each destination network protocol address, when the SYN messages exceed a threshold value, starting protection, verifying by adopting a SYN COOKIE mode, responding the SYN/ACK messages with COOKIE to the attack messages, and verifying subsequent ACK messages by using COOKIE;
ACK FLOOD detection protection unit: the system is used for protecting according to the connection table, transmitting a legal handshake ACK message into the kernel to establish connection, and directly discarding an illegal ACK message;
HTTP FLOOD detection protection unit: the method is used for counting the hypertext transfer protocol request message, when the number exceeds a set threshold value, starting protection, sending a hypertext transfer protocol response message added with a verification field to a network protocol address initiating a request, and verifying the field for a message sent from the network protocol address subsequently.
CN201710205715.4A 2017-03-31 2017-03-31 Method and system for integrating distributed denial of service attack protection and load balancing Active CN106790310B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710205715.4A CN106790310B (en) 2017-03-31 2017-03-31 Method and system for integrating distributed denial of service attack protection and load balancing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710205715.4A CN106790310B (en) 2017-03-31 2017-03-31 Method and system for integrating distributed denial of service attack protection and load balancing

Publications (2)

Publication Number Publication Date
CN106790310A CN106790310A (en) 2017-05-31
CN106790310B true CN106790310B (en) 2021-02-02

Family

ID=58966030

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710205715.4A Active CN106790310B (en) 2017-03-31 2017-03-31 Method and system for integrating distributed denial of service attack protection and load balancing

Country Status (1)

Country Link
CN (1) CN106790310B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881044A (en) * 2018-05-23 2018-11-23 新华三信息安全技术有限公司 A kind of message processing method and device
CN108810008B (en) * 2018-06-28 2020-06-30 腾讯科技(深圳)有限公司 Transmission control protocol flow filtering method, device, server and storage medium
CN111010460A (en) * 2019-12-16 2020-04-14 南京亚信智网科技有限公司 Domain name resolution method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101175013A (en) * 2006-11-03 2008-05-07 飞塔信息科技(北京)有限公司 Method, network system and proxy server for preventing denial of service attack
CN101202742A (en) * 2006-12-13 2008-06-18 中兴通讯股份有限公司 Method and system for preventing refusal service attack
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
CN103166926A (en) * 2011-12-14 2013-06-19 中国科学院沈阳计算技术研究所有限公司 Session initiation protocol (SIP) distributed denial of service (DDoS) attack distributed defensive system and load balancing method thereof
CN103685315A (en) * 2013-12-30 2014-03-26 曙光云计算技术有限公司 Method and device for defending denial of service attack
CN105516080A (en) * 2015-11-24 2016-04-20 网宿科技股份有限公司 Processing method, apparatus, and system for TCP connection

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101175013A (en) * 2006-11-03 2008-05-07 飞塔信息科技(北京)有限公司 Method, network system and proxy server for preventing denial of service attack
CN101202742A (en) * 2006-12-13 2008-06-18 中兴通讯股份有限公司 Method and system for preventing refusal service attack
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
CN103166926A (en) * 2011-12-14 2013-06-19 中国科学院沈阳计算技术研究所有限公司 Session initiation protocol (SIP) distributed denial of service (DDoS) attack distributed defensive system and load balancing method thereof
CN103685315A (en) * 2013-12-30 2014-03-26 曙光云计算技术有限公司 Method and device for defending denial of service attack
CN105516080A (en) * 2015-11-24 2016-04-20 网宿科技股份有限公司 Processing method, apparatus, and system for TCP connection

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"ACK Flood攻击";佚名;《https://blog.csdn.net/turk/article/details/51798579》;20160701;全文 *
"HTTP Flood攻击与防御原理";佚名;《https://forum.huawei.com/enterprise/zh/thread-293931.html》;20151019;全文 *
"syn cookie";佚名;《https://baike.***.com/history/syn%20cookie/6898884/111907641》;20160822;全文 *

Also Published As

Publication number Publication date
CN106790310A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
JP3993092B2 (en) Methods to prevent denial of service attacks
EP2289221B1 (en) Network intrusion protection
CN108173812B (en) Method, device, storage medium and equipment for preventing network attack
US8769681B1 (en) Methods and system for DMA based distributed denial of service protection
CN111800401B (en) Service message protection method, device, system and computer equipment
JP4373306B2 (en) Method and apparatus for preventing distributed service denial attack against TCP server by TCP stateless hog
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN106790310B (en) Method and system for integrating distributed denial of service attack protection and load balancing
WO2020037781A1 (en) Anti-attack method and device for server
Boppana et al. Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks
JP4284248B2 (en) Application service rejection attack prevention method, system, and program
JP2019152912A (en) Unauthorized communication handling system and method
EP4199427A1 (en) Ai-supported network telemetry using data processing unit
CN101795277A (en) Flow detection method and equipment in unidirectional flow detection mode
CN113765849A (en) Abnormal network traffic detection method and device
JP4391455B2 (en) Unauthorized access detection system and program for DDoS attack
CN115242552B (en) Message forwarding method and device based on IPSEC (Internet protocol Security)
CN108337254A (en) A kind of method and apparatus of protection mixed type ddos attack
CN114124489B (en) Method, cleaning device, equipment and medium for preventing flow attack
CN112565309B (en) Message processing method, device, equipment and storage medium
JP3917557B2 (en) Network attack prevention device, network attack prevention method, network attack prevention program, and recording medium recording the program
JP2004166029A (en) Method, system and program for controlling distributed service rejection
TW201828147A (en) Telegram clearing method and apparatus solving the technical problem of lower clearing efficiency of a clearing device due to a pre-configured policy
JP2008252221A (en) DoS ATTACK/DEFENCE SYSTEM, AND ATTACK/DEFENCE METHOD AND DEVICE IN DoS ATTACK DEFENCE/SYSTEM
CN114629669A (en) Network anonymous channel construction method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant